LiveActive security incident?Get immediate response
CVE Record

CVE-2021-46117: jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail.

jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2021-46117 describes remote code execution in JPress 4.2.0 through editable email templates in the admin panel. If an attacker can reach and use that template-editing function, they may inject code that runs on the server. The source bundle does not provide CVSS, authentication requirements, or a confirmed fix.

Executive priority

Treat this as high priority for any internet-facing or business-critical JPress 4.2.0 deployment. The impact is potentially server code execution, but urgency depends on admin-panel exposure and access controls because the public sources do not establish exploitation or prerequisites.

Technical view

The reported flaw is in io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel email-template feature can accept malicious template content, leading to remote code execution when the email path processes it. Available sources identify JPress 4.2.0, but do not define affected ranges, prerequisites, patch version, or CWE.

Likely exposure

Exposure appears limited to deployments running JPress 4.2.0 where the admin panel and email-template editing function are accessible. The sources do not confirm whether prior authentication, administrator privileges, or another vulnerability is required to reach the vulnerable function.

Exploitation context

The CVE is not listed as KEV in the provided bundle, and no cited source claims active exploitation. Public details are sparse: they describe the vulnerable function and template injection path, but not real-world attacks, exploit maturity, or reliable detection indicators.

Researcher notes

Key gaps are authentication requirements, affected version range, patch status, and execution context. Validation should focus on reproducing exposure safely in a controlled environment, reviewing the linked issue, and mapping whether template edits can reach PageNotifyKit#doSendEmail without privileged access.

Mitigation direction

  • Check JPress project guidance for a fixed release or official workaround.
  • Restrict JPress admin panel access to trusted administrators and networks.
  • Review email templates for unexpected code or recent unauthorized changes.
  • Audit administrator accounts and rotate credentials if compromise is suspected.
  • Increase monitoring around template edits and email-sending activity.

Validation and detection

  • Inventory systems running JPress and confirm exact deployed versions.
  • Determine whether any instance is running JPress 4.2.0.
  • Verify who can access the admin panel template editor.
  • Review change logs for email-template modifications around suspicious times.
  • Confirm whether vendor guidance identifies an upgrade or configuration workaround.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-46117 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.